Our industry (area of cheap networked devices) has a standard that defines the usage of keys for both authentication and encryption using EAX mode of AES. This standard does not define key management, and someone wants to change this key material in devices using the RFC 3394 key wrap algorithm. For that they want to use these very same encryption/authentication keys as key-wrapping keys to receive new keys (no separate/master key-wrap-key).

It depends on the use of the keys, without more information I don't think anyone can really comment on this. It's certainly not recommended to use keys for different purposes. As the security of the new key is now dependent on the older key, I only see an advantage to this scheme if the use of the older key is getting close to the maximum, e.g. regarding side channel attacks.
–
Maarten BodewesAug 25 '12 at 20:32

@StoverFlo I assumed the anonymous edit was you not being logged in. If it wasn't feel free to revert.
–
CodesInChaos♦Aug 27 '12 at 9:44

1 Answer
1

That's a really bad idea. The general rule is that a symmetric key can either be used for key wrapping or for data encryption, but never for both.

I assume that the keys already in the devices are currently used for processing data. If such keys are now also used for key wrapping, an attacker may abuse the existing protocols and processing facilities and use the device as an oracle to unwrap the new key packages you are about to send. Whether that is really a problem depends on how the key are really used, but in general it is very dodgy and it should be avoided in the first place. If that's not possible, you need to carry out some serious analysis to verify that cannot happen.

Note that the same problem exist even if you derive the actual wrapping key from the existing key material.